Nov 14, 2022 - Economy

Crypto exchanges volunteer partial audits in trust exercise

Illustration of a person falling backwards into two large binary code numbers with human arms reaching out to catch

Illustration: Annelise Capossela/Axios

Voluntary audits are suddenly in vogue again, with crypto exchanges trying to prove their stability with a trust exercise meant to stem a raft of outflows.

Driving the news: Operators of crypto marketplaces are pledging to soon produce proof-of-reserve (PoR) reports, showing publicly what coins they hold on balance, with some promising more regular, third-party audited reports going forward.

Why it matters: Perhaps a silver silver lining in FTX.com's bad example — crypto exchanges are taking steps to be more transparent, saying they will make their Merkle Tree reserve certifications public.

  • Many exchanges use Merkle Trees, or hash trees, so that users can effectively follow an audit trail to verify their own balances against that of the exchanges.
  • The privacy-first approach of the cryptographic process anonymizes customer data.

State of play: Crypto exchanges big and small over the last week have promised to produce PoR reports, including Binance, Bitget, Bybit, Deribit, Huobi, KuCoin, OKX and MEXC Global.

  • Some are publishing whatever numbers they have on hand in the meantime, showing the renewed urgency to shore up trust with customers.

What they're saying: "We are doing whatever we can to demonstrate our solvency and stability, without compromising customer data," Lennix Lai, director of financial markets at OKX, tells Axios, explaining its recent partnership with Nansen to show a part of their reserves.

  • A more formal report is on the way, Lai said.

What others are saying: Nic Carter, a general partner at Castle Island Ventures, who has long been pounding the table on PoR attestations, writes that if there was a "single thing" he could do to better the industry, it would be to "convince every custodial service provider" to have a routine PoR program.

  • He acknowledges that the exercise is not completely "trustless," but that it's a step in the right direction.
  • "Exchanges can omit certain liabilities to 'cheat' a PoR attestation."

Between the lines: FTX customers might have benefitted from regular PoR attestations, but reports to come from other peer exchanges wouldn't necessarily signal risk connected to their own FTX exposure.

  • Liabilities can be concealed.

Zoom in: Kraken is among the few exchanges already running a PoR attestation program.

  • The exchange recently froze FTX and Alameda-associated accounts to protect creditors.
  • "We will resolve each account on a case-by-case basis and may seek guidance from the bankruptcy court or trustee as appropriate," Kraken spokesperson Edith Camargo tells Axios.
  • "Other Kraken clients are not affected. Kraken maintains full reserves."

Others besides Kraken run PoR attestations already as well.

  • FTX.com and Celsius did not.

What we're watching: PoR attestations could just be a temporary salve, because they don't guarantee that investors will always have access to the coins they hold there.

  • Approaches to PoR reports also vary, and it's common for the best of them to merely serve up a snapshot of balances in time.

Case in point: Huobi Global published a list of wallet address holding an estimated $3.5 billion in various coins via their blog on Saturday, saying the company had conducted a Merkle Tree PoR audit related to its founder's sale of his majority stake in October.

  • The exchange said an audited, more up-to-date PoR attestation would follow.
  • The very next day the exchange's parent said $18.1 million of their crypto couldn't be withdrawn from FTX with customer assets accounting for $13.2 million of that, according to a filing.

The bottom line: Even public disclosures may fall short of providing total investor confidence. In an extreme example, FTX reportedly built a book-keeping backdoor unbeknownst to auditors.

  • Not your keys, not your coins.
Go deeper